Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe
-
Size
4.8MB
-
MD5
3319874e23150bba7627d9e8246022c9
-
SHA1
25a8993d1c9def294bd2392f9e5672a8f43a979e
-
SHA256
02bb716f0204fcedfd4279730433ba7789f3dd5517cdadc274b3b3355741945d
-
SHA512
292f5bc57597c9514d3b66c0bfba299e01873c9a604148c1f2c08acdb1706dcd8e3b1fdfc1543420114326e97d72973e42dacf0186e5aa0a6e2803b92888ed89
-
SSDEEP
49152:D8DvYitEwcVbZ1tSWRa4NL1aMsGuIA5EdBzfZk96c9:YtefBNL1aZh3Edvk8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3628 go-memexec-102811933.exe -
Enumerates processes with tasklist 1 TTPs 48 IoCs
pid Process 2984 tasklist.exe 3776 tasklist.exe 5020 tasklist.exe 4884 tasklist.exe 3736 tasklist.exe 5112 tasklist.exe 1700 tasklist.exe 4860 tasklist.exe 3004 tasklist.exe 1040 tasklist.exe 4852 tasklist.exe 4944 tasklist.exe 756 tasklist.exe 464 tasklist.exe 3960 tasklist.exe 64 tasklist.exe 4992 tasklist.exe 2768 tasklist.exe 4544 tasklist.exe 1628 tasklist.exe 1012 tasklist.exe 1092 tasklist.exe 4952 tasklist.exe 2156 tasklist.exe 4628 tasklist.exe 1188 tasklist.exe 4076 tasklist.exe 3488 tasklist.exe 4820 tasklist.exe 216 tasklist.exe 4988 tasklist.exe 1140 tasklist.exe 1372 tasklist.exe 2100 tasklist.exe 3732 tasklist.exe 1920 tasklist.exe 956 tasklist.exe 2664 tasklist.exe 4044 tasklist.exe 2984 tasklist.exe 3416 tasklist.exe 3696 tasklist.exe 3432 tasklist.exe 2204 tasklist.exe 4892 tasklist.exe 3432 tasklist.exe 2540 tasklist.exe 1764 tasklist.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1188 tasklist.exe Token: SeDebugPrivilege 1700 tasklist.exe Token: SeDebugPrivilege 4988 tasklist.exe Token: SeDebugPrivilege 4076 tasklist.exe Token: SeDebugPrivilege 3432 tasklist.exe Token: SeDebugPrivilege 1140 tasklist.exe Token: SeDebugPrivilege 4860 tasklist.exe Token: SeDebugPrivilege 2540 tasklist.exe Token: SeDebugPrivilege 4820 tasklist.exe Token: SeDebugPrivilege 1764 tasklist.exe Token: SeDebugPrivilege 2984 tasklist.exe Token: SeDebugPrivilege 2204 tasklist.exe Token: SeDebugPrivilege 1628 tasklist.exe Token: SeDebugPrivilege 2664 tasklist.exe Token: SeDebugPrivilege 4044 tasklist.exe Token: SeDebugPrivilege 3776 tasklist.exe Token: SeDebugPrivilege 5020 tasklist.exe Token: SeDebugPrivilege 1012 tasklist.exe Token: SeDebugPrivilege 1372 tasklist.exe Token: SeDebugPrivilege 1092 tasklist.exe Token: SeDebugPrivilege 4892 tasklist.exe Token: SeDebugPrivilege 2768 tasklist.exe Token: SeDebugPrivilege 4544 tasklist.exe Token: SeDebugPrivilege 4884 tasklist.exe Token: SeDebugPrivilege 3432 tasklist.exe Token: SeDebugPrivilege 2100 tasklist.exe Token: SeDebugPrivilege 4944 tasklist.exe Token: SeDebugPrivilege 464 tasklist.exe Token: SeDebugPrivilege 2984 tasklist.exe Token: SeDebugPrivilege 3416 tasklist.exe Token: SeDebugPrivilege 4952 tasklist.exe Token: SeDebugPrivilege 3736 tasklist.exe Token: SeDebugPrivilege 756 tasklist.exe Token: SeDebugPrivilege 3960 tasklist.exe Token: SeDebugPrivilege 3004 tasklist.exe Token: SeDebugPrivilege 3732 tasklist.exe Token: SeDebugPrivilege 3696 tasklist.exe Token: SeDebugPrivilege 1920 tasklist.exe Token: SeDebugPrivilege 2156 tasklist.exe Token: SeDebugPrivilege 5112 tasklist.exe Token: SeDebugPrivilege 216 tasklist.exe Token: SeDebugPrivilege 64 tasklist.exe Token: SeDebugPrivilege 4628 tasklist.exe Token: SeDebugPrivilege 3488 tasklist.exe Token: SeDebugPrivilege 1040 tasklist.exe Token: SeDebugPrivilege 4992 tasklist.exe Token: SeDebugPrivilege 4852 tasklist.exe Token: SeDebugPrivilege 956 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1188 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 84 PID 2416 wrote to memory of 1188 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 84 PID 2416 wrote to memory of 3628 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 87 PID 2416 wrote to memory of 3628 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 87 PID 2416 wrote to memory of 1700 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 88 PID 2416 wrote to memory of 1700 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 88 PID 2416 wrote to memory of 4988 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 90 PID 2416 wrote to memory of 4988 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 90 PID 2416 wrote to memory of 4076 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 92 PID 2416 wrote to memory of 4076 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 92 PID 2416 wrote to memory of 3432 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 94 PID 2416 wrote to memory of 3432 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 94 PID 2416 wrote to memory of 1140 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 96 PID 2416 wrote to memory of 1140 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 96 PID 2416 wrote to memory of 4860 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 98 PID 2416 wrote to memory of 4860 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 98 PID 2416 wrote to memory of 2540 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 100 PID 2416 wrote to memory of 2540 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 100 PID 2416 wrote to memory of 4820 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 102 PID 2416 wrote to memory of 4820 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 102 PID 2416 wrote to memory of 1764 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 104 PID 2416 wrote to memory of 1764 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 104 PID 2416 wrote to memory of 2984 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 106 PID 2416 wrote to memory of 2984 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 106 PID 2416 wrote to memory of 2204 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 108 PID 2416 wrote to memory of 2204 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 108 PID 2416 wrote to memory of 1628 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 110 PID 2416 wrote to memory of 1628 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 110 PID 2416 wrote to memory of 2664 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 112 PID 2416 wrote to memory of 2664 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 112 PID 2416 wrote to memory of 4044 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 114 PID 2416 wrote to memory of 4044 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 114 PID 2416 wrote to memory of 3776 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 116 PID 2416 wrote to memory of 3776 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 116 PID 2416 wrote to memory of 5020 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 118 PID 2416 wrote to memory of 5020 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 118 PID 2416 wrote to memory of 1012 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 120 PID 2416 wrote to memory of 1012 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 120 PID 2416 wrote to memory of 1372 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 122 PID 2416 wrote to memory of 1372 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 122 PID 2416 wrote to memory of 1092 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 124 PID 2416 wrote to memory of 1092 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 124 PID 2416 wrote to memory of 4892 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 126 PID 2416 wrote to memory of 4892 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 126 PID 2416 wrote to memory of 2768 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 128 PID 2416 wrote to memory of 2768 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 128 PID 2416 wrote to memory of 4544 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 130 PID 2416 wrote to memory of 4544 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 130 PID 2416 wrote to memory of 4884 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 133 PID 2416 wrote to memory of 4884 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 133 PID 2416 wrote to memory of 3432 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 135 PID 2416 wrote to memory of 3432 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 135 PID 2416 wrote to memory of 2100 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 137 PID 2416 wrote to memory of 2100 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 137 PID 2416 wrote to memory of 4944 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 140 PID 2416 wrote to memory of 4944 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 140 PID 2416 wrote to memory of 464 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 142 PID 2416 wrote to memory of 464 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 142 PID 2416 wrote to memory of 2984 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 144 PID 2416 wrote to memory of 2984 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 144 PID 2416 wrote to memory of 3416 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 146 PID 2416 wrote to memory of 3416 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 146 PID 2416 wrote to memory of 4952 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 148 PID 2416 wrote to memory of 4952 2416 2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-102811933.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-102811933.exe2⤵
- Executes dropped EXE
PID:3628
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wireshark"2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD55efef6cc9cd24baeeed71c1107fc32df
SHA13cfc9764083154f682a38831c8229e3e29cbe3ef
SHA256e61b8f44ab92cf0f9cb1101347967d31e1839979142a4114a7dd02aa237ba021
SHA512cecd98f0e238d7387b44838251b795bb95e85ec8d35242fc24532ba21929759685205133923268bf8bc0e2ded37db7d88ecbe2b692d2be6f09c6d92a57d1fdac